WhatsApp is not GDPR compliant (so don’t use it for business)
About 2 billion people around the world use WhatsApp as their
go-to messaging app.
Roughly 5 million people specifically use WhatsApp Business,
the business spin-off. But many millions more use the standard WhatsApp to
contact business clients and communicate with their employees. To do this, they
allow the app to access their contacts on their work mobiles.
And here’s where there is a big problem waiting in the wings.
Because the GDPR (General Data Protection Regulation) governs
data protection in the EU and EEA (the European Economic Area, which includes
the member states plus Iceland, Liechtenstein and Norway). And WhatsApp, it
turns out, isn’t looking very compliant.
Here’s what we know:
WhatsApp and your data
1) You share data about everyone in your contacts
The first time you use WhatsApp
after downloading and installing it, you’re prompted to agree to a little
statement which tells you “WhatsApp would like to access your contacts”.
The small print tells you that this
means you will “Upload your contacts to WhatsApp’s servers to help you
quickly get in touch with your friends”.
For personal use, this might seem
not ideal from a privacy standpoint but fairly innocuous. When it comes to
using WhatsApp for business however, this is just painted all over in GDPR red
2) WhatsApp stores all of that data on their servers
The operative word here is “all”.
Because you’re not just sharing your own information. You’re not only sharing
the information of other people who have WhatsApp accounts (and who presumably
also agreed to this).
You’re sharing the details of
everyone in your contacts. Even people who don’t use WhatsApp – or might even
have only the haziest notion what a “WhatsApp” even is.
But because you have their details
in your contacts – their name, mobile number, home number, email address,
perhaps other details about their business – you are agreeing to give that data
3) How does WhatsApp use my data?
This is where we’re slightly in supposition territory. We
can’t tell exactly how WhatsApp processes data (which is a key part of whether
it’s technically violating GDPR).
It must process peoples’ mobile phone numbers in order to
determine whether they have a WhatsApp account to allow you to “quickly get in
touch with your friends”. But does it “process” the other data which might be
attached to that mobile phone number entry in your contacts? Things like the
names and addresses of people who don’t use WhatsApp?
Processing the mobile number with
no other data attached might be defensible according to the GDPR.
Processing the data of people (which you have supplied) who don’t use the app
and haven’t agreed to have their data use almost certainly is not.
WhatsApp and GDPR
Is it possible that WhatsApp
somehow manages to have all of the details contained in your contacts on its
servers, display those details when required and not store that information or
It doesn’t seem that likely. Plus,
there’s an important stipulation in the GDRP that says personal data about a
person should not be able to be used to identify them.
As WhatsApp appears to hold a
person’s name, address, email addresses and employer, it certainly seems like
there might be some level of danger that this information could be used to
After all, this is the kind of data
which is usually termed “identifying information”.
How is WhatsApp getting away with this?
Surprisingly easily. Legal scholars have taken a quick peruse
of WhatsApp’s terms of service and found a little clause which states that “You
will not use (or assist others in using) our Services in ways that: (f) involve
any non-personal use of our Services unless otherwise authorized by us.”
It has been pointed out that this pretty neatly offloads
liability to anyone who chooses to use WhatsApp’s services for business
So if you use WhatsApp for business and you come up against a
GDPR problem, WhatsApp can simply point the finger at you and say that you were
in breach of its terms and conditions all along.
What can I use instead of WhatsApp?
The growing awareness that WhatsApp is not GDPR compliant has
led businesses around the world to start searching for alternatives.
Some goals when choosing between these alternatives will be
- Keep the personal data of your team, the people you work with and your clients safe
- Protect yourself from potential GDPR problems in the future
Slack and Microsoft Teams (part of Microsoft Office 365) are the clear winners in this field when it comes to office communications. They’re both designed for business use and are trusted by millions. Half a million different organisations, in Teams’ case.
If you’re looking for a good WhatsApp alternative for
business, look no further.
Want to get vital
cybersecurity news like this dropped into your inbox each month?
Sign up to our newsletter. We only send one once a month and it’s always super-relevant cyber stuff.
You can also chat with one of our cybersecurity consultants about the way your business does things right now. We already advise nearly one thousand businesses in and around Bristol about their cybersecurity needs.